August 15, 2024 • 28 mins
Simple steps can protect small businesses from cybercriminals! Dave Hatter is Cincinnati's own cyber security expert. From the pages of the The Wall Street Journal to the stage of the upcoming event, SCORE Confluence: Shine Online, Dave's sought-after insight is helping small business owners stay a step ahead of the crooks. Listen to this episode for interesting anecdotes and easy-to-implement practices to protect your small business.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 3 (00:03):
Hello.
Speaker 1 (00:03):
My name is Michael Dawson. You're host of My SINSI
Small Business Stories. In this episode, I'll be talking with
David Hatter, director of Business Growth and Intrust. It also
who is the mayor of Fort Wright, Kentucky, an ad
jump instructor for cincin United State Technical and Community College,
plus a whole lot more. We'll find out more about that,
(00:25):
but first we'll be right back after this message.
Speaker 2 (00:28):
Did you know twice as many small businesses survive past
five years when they have the support from a mentor.
My Sinsey Small Business Story is brought to you by
the volunteer mentors of Score Greater Cincinnati, a nonprofit organization
that helps launch hundreds of new small businesses and even
more jobs in Cincinnati, Northern Kentucky, and Indiana every year.
Our vision is to give every person the support they
(00:49):
need to thrive as a small business owner. Visit score
dot org slash Greater Cincinnati to request a free business
mentor or share your own expertise. You can also listen
and subscribe from more stories about overcoming challenges, clearing obstacles,
and owning a successful small business.
Speaker 1 (01:05):
Welcome, Dave, how you doing.
Speaker 3 (01:07):
I'm good Mike, thanks for having me on. I appreciate
the opportunity to chat with you to day.
Speaker 1 (01:10):
Well, I'm just glad your schedule's so busy. I don't
know how you do it. Do you sleep at night
or what's your secret?
Speaker 3 (01:16):
Lots of black coffee twenty four to seven black coffee.
Speaker 1 (01:20):
There you go. Well, on this episode, we'll be talking
about risk online how to navigate online risk with insight
from cybersecurity, legal and web development Dave. I think the
big thing with regard to small businesses is that they
don't take this stuff seriously, and I have some questions
(01:43):
about that. But first, what is the current state of cybersecurity?
Speaker 3 (01:47):
Well, I think you've hit the nail right on the head, Mike.
I mean, you know, Interest has been in business for
more than thirty years, and you know I've been working
in this field of related fields for my entire career.
I think a lot of businesses think, well, too small,
no one's going to come after me. I don't have
anything worth stealing. And I can assure you A your
data is worth stealing because it has intrinsic value and
(02:08):
B it often leads to money, which is what they're
really after. Your money, your money has value to them,
And I just want to set the stage here, Folks
have to understand most of these attacks on small business
are not coming from some dude and his mom's basement.
They're organized crimical, criminal gangs off shore where you can't
reach them. They're coming from places where they don't have
any money, they don't have any opportunity, but they got
(02:29):
a lot of time on their hands and internet access.
So if it takes a few months to break into
your systems and they walk away with ten thousand dollars,
you know, may not be in ur shattering amount of
money to you, but it's a substantial amount of money
to them, you know, And any money they can make,
especially if you make it easy for them, is a
big score. So you've got to understand the incentives of
the criminals out there. Now, that's not to say you
(02:50):
might not be specifically targeted because you're a you know,
a well known business, or you have specific data they
want to steal, trade secrets or whatever. But when people
say I don't have anything, we're stealing, again, your money's
we're stealing. And I would ask folks, if you don't
want to take my word for it, just go to
the Internet Crime Complaints Center IC three dot gov. It's
hosted by the FBI, where they a take reports of
(03:12):
these sorts of crimes and b roll up a report
every year that shows you the statistics. And I think
most people would be shocked when they realize that a
large amount of this crime is directed towards small businesses
because of this sort of mindset, and frankly, they make
themselves an easy target because they don't do the simple
steps that you they don't implement the simple things you
can do to make yourself a more difficult target. So
(03:33):
that's that's kind of where we're at, and these crimes
are definitely rising. Again, don't take my word. See what
the FBI says, Aback.
Speaker 1 (03:40):
I've read Dave that a stat we're sixty percent of
small businesses that get hacked go out of business within
the first twelve months after the hack.
Speaker 3 (03:50):
You know, Mike, you're going to find statistics all over
the place, and you know there are lots of credible statistics,
people like IBM and Ponnham and put out a really
famous report every year. Verizon puts out data breach report. Again,
You've got the FBI sources that you can look for.
My point is you're going to find stats all over
the place, but you'll typically see a common theme. A
the number of attacks is increasing on organizations of all types,
(04:13):
and be the impact of these types of attacks are increasing.
You may have seen recently the city of Columbus just
got hit with ransomware. City governments in particular, when I
put my mayre's hat on, this is something I'm very
concerned about, are increasingly under attack. So they stole a
bunch of data from Columbus, some of it's already been
released out on the internet, sensitive data, and they asked
for a one point seven million dollar ransom. I will
(04:35):
remind folks Huber Heights just south of Dayton got hit
with a ransomware attack last year, and so far what's
been disclosed publicly that I'm aware of is they are
out over eight hundred thousand dollars. Now think about that.
You could pay for a lot of interest time with
eight hundred thousand dollars just saying you know, so you
know again they're they're going after the money. However they
can get to it in most cases, and you know, sadly,
(04:56):
these kinds of crimes are definitely rising and again I
I really just can't stress en up to people. Well,
there's nothing that's fool proof, there's nothing that will make
you absolutely impervious to these kinds of attacks. There are
things you can do as an individual and as an
organization that will make you a much much more difficult target.
And in most cases, unless you are being explicitly targeted
for some reason, they're going to move on to a
(05:18):
softer target. You know, they don't want to spend three
months to break into your organization if they can spend
three minutes to break into another one, steal some money
and move on, right. I mean it's in many cases
these are crimes of opportunity and they're just going for
the low hanging fruit.
Speaker 1 (05:31):
Unfortunately, what are the most common attacks that you're seeing.
Speaker 3 (05:36):
So in the Cincinnati market, And this is backed up
by the statistics you will find if you go look
for the most part, the fundamental thing we see is
what's sort of known in the business's business email compromise,
and that's a pretty wide umbrella. But this is another
myth I'm constantly trying to dispel. People say, well, what
could you do if you get into my email? I
don't have anything secret in there, I don't care well
(05:57):
some of the things I might be able to do,
And I'm going to give you some real world instances.
I have firsthand knowledge of a Cincinnati based company that
lost nine hundred and eighty three thousand dollars because their
email is compromised. So one of the most common types
of business email compromise is because people have bad passwords,
because people don't use multi factor authentication, the bad guys
are able to get into their email. They lurk around
(06:19):
in there and just see what you're talking about, what
you're doing. Perhaps then they will impersonate you. Perhaps they
will send emails as you. You know. The most common
thing is, as a business email compromise, I figure out
who you are sending invoices to, and then around the
invoice cycle time, I make duplicates of your invoices, but
(06:40):
I change the payment information. So now an invoice comes
from a legitimate email address in your company, it goes
to someone who's expecting an invoice from you. And unless
they read it very carefully and notice you've changed the
payment information, guess what the bad guys send the money
to somewhere else, or the bad guys get the money
that should have been sent to you. Now, how do
(07:00):
you think it's going to go, Mike, When you call
your customer like, hey, you didn't pay invoice numbers such
and such, and they go, oh, sure we did. You know,
here's the check number. You go, well, we didn't get
the money. You think they're going to cut you another
check for that? I can bumble you. I can assure
you they are not, because you know you are entirely
culpable for that situation. This happens all the time. It
happens to businesses, it happens to governments. I can tell
(07:23):
you again firsthand knowledge of a case where the bad
guys got into an attorney's mailbox. The attorney was working
on a settlement with another company. They impersonated that attorney.
Set up mail flow rules so when the opposing attorney
was emailing the attorney in question, he never saw those emails.
They were going into a folder automatically, and then the
bad guys were impersonating this attorney. They agreed to a
(07:44):
three hundred thousand dollars settlement and walked off with three
hundred grand. And yeah, I know this sounds far fetched
to people, but I trust me, you will have no
trouble going online and confirming everything I'm telling you is
happening on a regular basis. So this is one of
those low hanging fruit things, Mike. If you can just
simply lock down your email systems, make sure that everyone
(08:06):
has a strong, unique password, everyone is using multi factor authentication.
While it's not fool proof, that will go a long
long way towards preventing that kind of activity. And there
are some other things you can do as well, but
just those two simple things. And by the way, both
of those cost nothing. It'll literally costs nothing to implement
those two controls. And if you just do that, according
to both Microsoft and Google, they had previously reported if
(08:28):
you just do that, you will block about ninety nine
percent of automated attacks. Again, the bad guys are getting smarter,
they're getting trickier, and how they're approaching this, I doubt
it would block ninety nine percent today. But Microsoft did
recently put out a report based on their research over
the last year, and they list five things. If you
just do these five things, you'll basically be protected against
ninety nine percent of all attacks. So there are simple
(08:51):
well I shouldn't say simple, There are things you can do.
Many of them are very inexpensive. You just got to
do them.
Speaker 1 (08:57):
So then why is it just kind of ties back
in what you just said, and education and awareness is
very very important.
Speaker 3 (09:03):
Then super critical, Mike, and I would argue it's the
most important thing because once people are aware of the risks,
and once people are aware that there are relatively inexpensive
and mostly frictionalist fixes for a lot of this stuff,
and it fix is probably not the right word. Things
that will make you a much more difficult and exponentially
more difficult target. You know, you can reduce your risk greatly.
(09:25):
And so again, helping people understand that, yes, if you
use the same password on all your accounts and it's
easy to guess, easy to crack, easy to hack, one
of your accounts is going to get breached and then
they'll try it on anything they can find for you.
I mean, these people are smart and they're criminals, right,
they want to steal your money, you know, turn it on.
Multi factor authentication again aka two step verification or two
(09:48):
factor authentication. Very simple. I know it's painful for people toil,
they get accustomed to it, but that additional code you
have to have to log in, creates a relatively high
barrier for the bad guys, and unless if you are
being explicitly targeted, in most cases they're just going to
move on to someone who hasn't done it. So again,
it's understanding what are the risks, where should you apply
(10:09):
your time and money to defend against those risks, and
then just doing some of these simple things. Now, you know,
I always try to use this analogy. If I live
next to you and my house is all overgrown with
weeds and bushes, and you know, I don't have any
answort of outside lighting, there's no evidence of a dog
or anything, or alarm systems or anything like that. But
you have no bushes, you have a lot of outdoor lighting,
(10:32):
you have sciences so that you have an alarm system,
and you've got two big, mean German shepherds. If there's
a crime of opportunity, which house do you think they're
going to attack? Well, of course they're going to attack mine. Now,
if they know you have the Hope diamond stored in
your house, they may decide it's worth the risk to
breach all of your security systems and go after it anyway.
But so much of this stuff is they're just taking
advantage of the fact that people don't understand the risk
(10:55):
and aren't doing these simple things they can do to
protect themselves. Really, that's really the bottom line. And for
so much of this stuff.
Speaker 1 (11:02):
Well, what about cyber insurance. I've been reading some stuff
about that, is you know, is that something that small
business should think about.
Speaker 3 (11:11):
Yeah, my advice to you. I mean again, at the
end of the day, it's a business decision based on
how much risk can you tolerate? But yeah, I would
advise you to get cyber insurance. The marketplace is changing rapidly.
Your premiums have gone way up because when insurance companies
first got into this space, they were dealing with businesses
that often wouldn't even understand what they were being asked
(11:32):
to do. So they're saying, yeah, sure, we did that right,
and then next thing you know, they get breached. Now
there's a claim. So it's gotten harder to get cyber insurance.
The premiums have gone up. They usually will run you
through a fairly rigorous questionnaire where you have to say
yes like MFA. Generally, multi factor authentication is almost always
table stakes to even get cyber insurance. They only even
write a policy if you don't have that, because they
(11:53):
understand how effective it is. It's stopping these simple attacks. Yeah,
I would advise you, as a small business to at
least talk to an agent about it, you know, and
then decide cost wise, you know, does it make sense
for you as a business. You know. Now, I'm a
ten full hack guy, Mike, and I freely admit that.
So I'm going to tell you should have cyber insurance.
But I also get no business has an endless well
(12:15):
of cash, and you know, depending on what you do
and how secure you are, you may decide it's not
worth it. The two things though, that come with cyber
insurance generally speaking, that in my opinion, make it worthwhile
is a if you have a breach, you call them first.
They have experts that deal with that sort of thing,
because one of the worst things that could happen, and
I've seen this happen to businesses they have some kind
(12:36):
of breach, they don't really get to the root cause,
and then it happens again. I mean, you can easily
find documented cases where a company is hit with ransomware
multiple times by the same bad actors because they didn't
find the root cause of how they got in the
first place, and usually once the insurance teams get involved,
they have forensics experts that will help you get to
the bottom of that. And then the second thing I
(12:58):
would remind folks, even though we see a lot less
ransomware than we do the business email fraud, financial fraud
type stuff, it is potentially illegal to send ransom payments
to certain countries. So again, the insurance company is going
to have that kind of expertise to help you ununderstand,
like do I need to report this to the government.
Is it going to be a crime if I pay
the ransom to you know, a ran or whatever. So
(13:20):
you know you're getting some additional consulting and guidance in
the events that something does happen, and you know it
might be the difference in terms of the recovery cost
between staying in business and going out of business if
you have the insurance. So I definitely would recommend every
business should at least explore it and understand where it
fits into their risk appetite.
Speaker 1 (13:40):
So AI friend or foe, Well.
Speaker 3 (13:44):
That is an excellent question, and I can argue either
side of that. I will just say this, I think
AI as it's currently implemented in the marketplace, things like
chatch EPT and large language models and so forth, has
been substantially overhyped, and I I think you've now seen
a lot of the illuminary people talking about it start
to come off some of the hype around it. Now
(14:05):
I can tell you I use it pretty regularly when
you understand how it works and what it can do
for you as a business. It can really be like
rocket fuel in certain cases. Okay, like, for example, I'm
going to do a presentation on X. Give me an
outline for this presentation. My audience is going to be business,
small business people, whatever, right, and it'll give you something.
(14:28):
Now you have to understand when you do this, it
will often just make things up aka hallucinations in the business.
So I would recommend don't use it for things that
you don't already have a thorough understanding of, because then
you're going to have to vet the work anyway. But
it can be very helpful a lot of ways, and
it's already baked into a lot of stuff like advanced
antivirus tools. The food piece is the thing I'm more
(14:48):
concerned about. I don't I'm out talking to people about
this stuff all the time, okay, and I don't think
people fully understand how easy it is to create deep fakes,
you know, fake audios, fake videos, and more importantly, voice cloning.
It is absolutely doable. I've done it with two local reporters,
one from Fox nineteen and one from WCPO, where literally
(15:11):
we cloned their voice as part of an interview now
with John mattter Reese and WCPO, this is the gospel truth.
You can watch the video and see for yourself, or
he'll tell you. He calls me out and says, hey,
I'd like to do an interview on voice cloning. I said, yeah,
I think that's a great idea because I don't think
people understand how good this is and what a risk
this is today and how it's only going to get worse.
This interview is almost two years old. Now. You online
(15:33):
easily find it if you search, so I'm not exaggerating, Mike. Literally,
I looked up. I just went online and did a
search because I had not tried this myself prior to
this interview. Okay, I found a site that claimed to
do this, so I played around with it a little
bit while I was waiting for him with my own voice,
like this seems like this will work. John shows up.
It asked him to read a sentence, We record his voice,
(15:54):
We play around with it for maybe ten minutes. So
you know, we were using a free tool. First off,
it literally costs nothing. One of us had any previous
expertise or experience doing this, and within about an hour
we created a facsimile of his voice that I would
say was at least eighty to ninety percent dead on. Wow.
Now that's that's where a free tool and not even
really trying to train it, like working at it to
(16:15):
make it better. You know. Again, folks can go watch
the interview and see for themselves. You will watch me
once we're done. I type in hello, Grahama, this is John.
I need your help and hit the button and it
sounds like him. That was a year and a half ago,
with a free tool and no previous experience. You may
have seen recently these sorts of voice cloning attacks have
started to get some pressed. There was just a story
(16:36):
that came out last week. The CFO, the chief financial
officer of Ferrari, was messaged by the CEO of Ferrari
and which then led into a voice conversation where the
CEO was, you know, trying to set him up to
transfer a bunch of money. Thankfully, the CFO was kind
of wise to this concept, going back to this is
(16:56):
why education and awareness is so important. It's so important
to just be aware that this is a thing, so
you be more skeptical. Right, So he gets on the phone,
the CFO is talking to the CEO, and eventually, even
though he said, they even had the guy's Southern Italian accent,
you know, and I want to come back to how
would you get someone's voice? Eventually the guy just didn't
(17:19):
feel right, so he asked him a question that only
the CEO would know. Apparently, the CEO had recently recommended
a book to the CFO, and the CFO asked him
about that, and then the guy I couldn't answered the question,
at which point he realized he was being scammed. There's
at least two well documented scams, ones documented Forbes the
others all over the I know CNN did at expos
(17:41):
in it twenty five million dollars were stolen by convincing
someone on a zoom call to transfer money. So this,
I know this sounds far affetched to people. This is
a real thing. It's easy to do. And when people say, well,
I'm not the CEO of Ferrari, I'm not a celebrity,
how would you get my voice? My answer is always,
if I call your phone, you have a voicemail greeting, well,
(18:02):
guess what I am you in less than an hour,
and I can say anything I want to say as
you in less than an hour once I have enough
of your voice. So if your voice is out there
in any sort of form that I can capture, I'm
you if I want to be you. And as this
technology improves, you know again, this CEO CFO thing at
Ferrari ended up in a real time conversation where the
(18:23):
deep fake voice cloning was talking to the CFO more
or less real time. That's how advanced this stuff is.
And I just can't stress enough for folks. Whether it's
the you get a call in the middle of the
night from your son who's in jail and needs money,
or your CEO suddenly wants you to do a wire transfer,
you should be extremely skeptical. And I think it's really important,
especially in small companies, to start from the beginning of
(18:47):
trying to build a security culture you know, I'll tell
you know in trust. We deal with this stuff every
day for our customers and also internally, so you know
we're a little different than your average company. But like
with the City of Fort Wright, I'm constantly sharing information
about this with the staff here. We go through regular
cybersecurity awareness training. We use a fish testing product from
no before so people understand what to look for. And
(19:09):
I've tried to work very hard to create a security
culture where everyone here understands that it's okay to question everything,
And in fact, I would rather them question things. I
would rather have someone unhappy with us because we didn't
pay a bill in a timely manner because we questioned it,
then to basically have tax payer funds stolen because we
acted too hastily. And if we have time, I'll tell
(19:30):
you two real world stories right now about the City
of Fort Right. So here here's two. One is a
phishing related email attack, so and again these people are crafty.
Someone took the time to figure out who our city
clerk was, which is easy to do go to the
City of Fort Right website or use LinkedIn. They figured
out that I was the mayor, also easy to do,
(19:50):
so then they sent a spoofed email. They didn't actually
get into my mailbox because I've got every kind of protection,
you know, I'm like Fort Knox when it comes in
ten foy hat, my ten foll hat. He sent a
spoofed email that looked like it came from my email
account to the city clerk asked her how much money
was in our bank account as of that day? It
was four million dollars. Now, how'd you like to be
a criminal? And you get an email back saying, hell,
(20:12):
there's four million dollars in the bank account. You know,
they got to be thinking, Jing, I got a live
one here. So then they come back to her and say,
I'm going to need you to initiate two wire transfers,
one international wire transfer and one local wire transfer. And thankfully,
because she's smart and all my screaming about this, she
started thinking wire transfer. We don't normally do wire transfers,
(20:35):
and why in the world would the city of Fort
Wright do an international wire transfer? Could what could possibly
be the legitimate you purpose of that? Right? So thankfully
she did what we call in the industry, go out
of band. She literally stopped, picked up the phone and
called me and said Dave, what's this email from you
about wire transfers? And I said, Joyce, stop what you're doing,
(20:57):
get your scissors, cut the cable on the back of
the computer. I'll be there in a minute. And thankfully,
you know, disaster was averted because I mean, who knows
how much money they could have stolen had she not
been skeptical and been willing to question things. Right now, again,
this is a small organization. We only have fifty total employees.
Everyone knows everyone else. But I'm trying to help businesses
(21:17):
understand it needs to come from the top down. I
want you to question these kind of things. I want
you to slow roll these things. I want you to
go out of band, go through the internal channels, talk
to these people using numbers that you've previously used before,
or you're going to get scammed. So the second story,
you know, people have seen these stories in the news
about mail carriers having the master key stolen from those
(21:40):
blue boxes. What's primarily for check washing scams. We got
hit with a check washing scam. In fact, we're putting
together a press release on this now to try to
help other organizations understand the risks of this. So we
sent out a check, and through our bank, we use
something called positive pay. I also recommend every small business
ought to have positive pay turned on their accounts, and
(22:02):
you ought to work with your banker to make sure
you have all the security features available because it may
cost a little extra money. But I mean, we lost
twelve thousand dollars, that'll pay for all your positive pay
for a long time. Okay. So every day we send
a log of checks to the bank, and as those
checks try to clear the bank, they're compared to that log,
and if there's any sort of discrepancy, it sends an
(22:22):
alert back to us to confirm it. Okay, So twelve
thousand dollars check goes out somehow ends up in somewhere
in Georgia, and check washing basically they open those mailboxes,
they steal all the mail out of them, they find
the checks that are in there. I don't fully understand
how they do this, but they wash the check, literally
wash it, and then write new information on it. So
in our case, they left the payment amount the same,
(22:44):
but they changed the PAYE ran this check through a
bank and Georgia walked off with twelve thousand bucks because
because unfortunately, even though we had a process and a
system in place. When that alert notification came back, someone here,
unfortunately did not pay enough attention. I guess they didn't
check to PAYE. They just saw that the amount was
the same and approved it. And here's the clincher Mike
(23:05):
had is the way we're set up. If you don't
improve these exceptions within twenty four hours, it just stops
the check. So again, if you slow down, if you
think things over, if you're vigilant and move slow, you're
a lot less likely to have these kind of scams
happen because you can get again, you know, this doesn't
look right, I'm going to question it, and in this case,
it would have automatically blocked. Now I want to give
(23:25):
credit to Republic Bank or our bank, because once we
went to them with us, we called our insurance company
and they said, well, yeah, you know, you guys basically
were negligent in this case. We're not gonna We're not
going to pay you twelve thousand dollars because you didn't
follow your own process, which I understand and respect their
position on it. But I've been trying to give a
lot of credit to Republic Bank because they basically went
to work on this and they were able to get
(23:46):
our money back. We got all twelve thousand dollars back.
That's kind of rare in these situations, So huge kudos
to Tom Salinger and Republic Bank. If you're looking for
a bank, I encourage you to call them today. They've
been amazing to work with. But you know, those are
two real world examples of things happened here. These kinds
of things are happening to businesses every day, and again,
a lot of this with the right education and awareness,
(24:07):
with a security orient culture where people understand that it's
not just acceptable, but you are requested to question things
and slow down and move slower, and then with just
some simple technologies and processes, you will be vastly more
secure than most of your competitors out there, and the
bad guys will just move on.
Speaker 1 (24:25):
Well, Dave, thank you very much. We're going to have
to wrap this up here in a moment. One of
the things I wanted to kind of circle back on
that you said that you feel that the security of
an organization, whether it's a small business, a large business,
or whatever it is, needs to come from the top.
Speaker 3 (24:47):
It really does, because I mean, at the end of
the day, if you don't have the folks at the
top building a security orient culture telling people that this
is important. It's important to me for my business, is
important to you as an employee. It's important to our
customers and vendors and partners who are potentially going to
be scammed when their information gets stolen. It's important to society.
I mean, think about it for a second, Mike, who
(25:09):
here is not spending more time online? Who here doesn't
work online? At least somewhat entertain themselves, shop, educate. Everything
is digital now, so you know, I can make a
strong argument that by taking these kind of actions, you're
not just protecting yourself and your family and your organization,
You're helping to protect society as a whole. You know
where we're well past the place now where one of
(25:29):
these attacks just makes you lose your family photos or whatever.
So yeah, it needs to come from the top down.
You need to have everyone on board and in addition
to being willing to spend some money on tools and
processes and procedures, and to invest some effort in dealing
with some of the friction some of these tools create.
You know, if you have six locks on your door,
(25:49):
it's going to be more secure, but it's also harder
to operate, right, So you know there's there's a balance.
I understand no business has an endless well of cash,
and I also understand that you know, you can't create
so much friction, can't operate, But you need to take
a risk based approach to this, and you know that
needs to come from the top and then it needs
to be constantly reinforced and encouraged that this stuff is important.
I mean, I hate to say it, but people can
(26:11):
lose If the company goes out of business and you're
just some line worker or whatever, you may still lose
your job because of some cyber incident that perhaps you
could have helped prevent. So you know, I just I
want to Yes, it needs to come from a top down,
and I just can't encourage people enough to take this
stuff seriously because I see it almost every day. And again,
I have firsthand knowledge of people who've lost tens of
(26:33):
thousands to millions of dollars that probably could have prevented
if they would have listened to old tenfoil hat Dave
in the first place.
Speaker 1 (26:41):
Well, thank you, Dave. Dave is one of ten presenters
at Scores Confluence Workshop on September eighteenth. The workshop will
cover small business online security, legal issues, AI branding, and
much more. Go to Score forward Slash Greater Cincinnati dot
org for more information and to register. Dave. If somebody
(27:04):
listening to this wants to get a hold of you
or has some interest in, you know, engaging you and
a bigger process, how would they do that? How would
they get ahold of you?
Speaker 3 (27:15):
Well, hopefully they'll come to the Confluence event, Mike. But
outside of that, I'm pretty easy to find. You can
go to interest it dot com. You'll find me there,
and also I'm pretty easy to find on LinkedIn or Twitter.
I will say on Twitter slash x, I'm constantly sharing
this sort of information to try to get it out
there and help educate folks. So you get to follow
me on social media. I'm easy to find and I'm
(27:35):
happy to help with Again.
Speaker 1 (27:37):
Terrific, Thanks Dave, Thanks Mike. If you would like to
sign up with a mentor or would like to become
a mentor, go to score dot org and click on
the appropriate link. Please subscribe to the podcast, share the link,
and thank you very much for listening Score Greater Cincinnati's
Confluence where connections, information and inspiration come together. As a
(28:02):
date of September eighteenth of twenty four from eight thirty
am to two pm at United Way. The theme this
year is Shine Online. You can go to score dot
org slash Greater Cincinnati and be able to register for
that event. Also, you can go to that website and
(28:27):
request a mentor or sign up to be a volunteer.
Thank you for listening. Please subscribe to the podcast and
share the link. Take care
Hello.
Speaker 1 (00:03):
My name is Michael Dawson. You're host of My SINSI
Small Business Stories. In this episode, I'll be talking with
David Hatter, director of Business Growth and Intrust. It also
who is the mayor of Fort Wright, Kentucky, an ad
jump instructor for cincin United State Technical and Community College,
plus a whole lot more. We'll find out more about that,
(00:25):
but first we'll be right back after this message.
Speaker 2 (00:28):
Did you know twice as many small businesses survive past
five years when they have the support from a mentor.
My Sinsey Small Business Story is brought to you by
the volunteer mentors of Score Greater Cincinnati, a nonprofit organization
that helps launch hundreds of new small businesses and even
more jobs in Cincinnati, Northern Kentucky, and Indiana every year.
Our vision is to give every person the support they
(00:49):
need to thrive as a small business owner. Visit score
dot org slash Greater Cincinnati to request a free business
mentor or share your own expertise. You can also listen
and subscribe from more stories about overcoming challenges, clearing obstacles,
and owning a successful small business.
Speaker 1 (01:05):
Welcome, Dave, how you doing.
Speaker 3 (01:07):
I'm good Mike, thanks for having me on. I appreciate
the opportunity to chat with you to day.
Speaker 1 (01:10):
Well, I'm just glad your schedule's so busy. I don't
know how you do it. Do you sleep at night
or what's your secret?
Speaker 3 (01:16):
Lots of black coffee twenty four to seven black coffee.
Speaker 1 (01:20):
There you go. Well, on this episode, we'll be talking
about risk online how to navigate online risk with insight
from cybersecurity, legal and web development Dave. I think the
big thing with regard to small businesses is that they
don't take this stuff seriously, and I have some questions
(01:43):
about that. But first, what is the current state of cybersecurity?
Speaker 3 (01:47):
Well, I think you've hit the nail right on the head, Mike.
I mean, you know, Interest has been in business for
more than thirty years, and you know I've been working
in this field of related fields for my entire career.
I think a lot of businesses think, well, too small,
no one's going to come after me. I don't have
anything worth stealing. And I can assure you A your
data is worth stealing because it has intrinsic value and
(02:08):
B it often leads to money, which is what they're
really after. Your money, your money has value to them,
And I just want to set the stage here, Folks
have to understand most of these attacks on small business
are not coming from some dude and his mom's basement.
They're organized crimical, criminal gangs off shore where you can't
reach them. They're coming from places where they don't have
any money, they don't have any opportunity, but they got
(02:29):
a lot of time on their hands and internet access.
So if it takes a few months to break into
your systems and they walk away with ten thousand dollars,
you know, may not be in ur shattering amount of
money to you, but it's a substantial amount of money
to them, you know, And any money they can make,
especially if you make it easy for them, is a
big score. So you've got to understand the incentives of
the criminals out there. Now, that's not to say you
(02:50):
might not be specifically targeted because you're a you know,
a well known business, or you have specific data they
want to steal, trade secrets or whatever. But when people
say I don't have anything, we're stealing, again, your money's
we're stealing. And I would ask folks, if you don't
want to take my word for it, just go to
the Internet Crime Complaints Center IC three dot gov. It's
hosted by the FBI, where they a take reports of
(03:12):
these sorts of crimes and b roll up a report
every year that shows you the statistics. And I think
most people would be shocked when they realize that a
large amount of this crime is directed towards small businesses
because of this sort of mindset, and frankly, they make
themselves an easy target because they don't do the simple
steps that you they don't implement the simple things you
can do to make yourself a more difficult target. So
(03:33):
that's that's kind of where we're at, and these crimes
are definitely rising. Again, don't take my word. See what
the FBI says, Aback.
Speaker 1 (03:40):
I've read Dave that a stat we're sixty percent of
small businesses that get hacked go out of business within
the first twelve months after the hack.
Speaker 3 (03:50):
You know, Mike, you're going to find statistics all over
the place, and you know there are lots of credible statistics,
people like IBM and Ponnham and put out a really
famous report every year. Verizon puts out data breach report. Again,
You've got the FBI sources that you can look for.
My point is you're going to find stats all over
the place, but you'll typically see a common theme. A
the number of attacks is increasing on organizations of all types,
(04:13):
and be the impact of these types of attacks are increasing.
You may have seen recently the city of Columbus just
got hit with ransomware. City governments in particular, when I
put my mayre's hat on, this is something I'm very
concerned about, are increasingly under attack. So they stole a
bunch of data from Columbus, some of it's already been
released out on the internet, sensitive data, and they asked
for a one point seven million dollar ransom. I will
(04:35):
remind folks Huber Heights just south of Dayton got hit
with a ransomware attack last year, and so far what's
been disclosed publicly that I'm aware of is they are
out over eight hundred thousand dollars. Now think about that.
You could pay for a lot of interest time with
eight hundred thousand dollars just saying you know, so you
know again they're they're going after the money. However they
can get to it in most cases, and you know, sadly,
(04:56):
these kinds of crimes are definitely rising and again I
I really just can't stress en up to people. Well,
there's nothing that's fool proof, there's nothing that will make
you absolutely impervious to these kinds of attacks. There are
things you can do as an individual and as an
organization that will make you a much much more difficult target.
And in most cases, unless you are being explicitly targeted
for some reason, they're going to move on to a
(05:18):
softer target. You know, they don't want to spend three
months to break into your organization if they can spend
three minutes to break into another one, steal some money
and move on, right. I mean it's in many cases
these are crimes of opportunity and they're just going for
the low hanging fruit.
Speaker 1 (05:31):
Unfortunately, what are the most common attacks that you're seeing.
Speaker 3 (05:36):
So in the Cincinnati market, And this is backed up
by the statistics you will find if you go look
for the most part, the fundamental thing we see is
what's sort of known in the business's business email compromise,
and that's a pretty wide umbrella. But this is another
myth I'm constantly trying to dispel. People say, well, what
could you do if you get into my email? I
don't have anything secret in there, I don't care well
(05:57):
some of the things I might be able to do,
And I'm going to give you some real world instances.
I have firsthand knowledge of a Cincinnati based company that
lost nine hundred and eighty three thousand dollars because their
email is compromised. So one of the most common types
of business email compromise is because people have bad passwords,
because people don't use multi factor authentication, the bad guys
are able to get into their email. They lurk around
(06:19):
in there and just see what you're talking about, what
you're doing. Perhaps then they will impersonate you. Perhaps they
will send emails as you. You know. The most common
thing is, as a business email compromise, I figure out
who you are sending invoices to, and then around the
invoice cycle time, I make duplicates of your invoices, but
(06:40):
I change the payment information. So now an invoice comes
from a legitimate email address in your company, it goes
to someone who's expecting an invoice from you. And unless
they read it very carefully and notice you've changed the
payment information, guess what the bad guys send the money
to somewhere else, or the bad guys get the money
that should have been sent to you. Now, how do
(07:00):
you think it's going to go, Mike, When you call
your customer like, hey, you didn't pay invoice numbers such
and such, and they go, oh, sure we did. You know,
here's the check number. You go, well, we didn't get
the money. You think they're going to cut you another
check for that? I can bumble you. I can assure
you they are not, because you know you are entirely
culpable for that situation. This happens all the time. It
happens to businesses, it happens to governments. I can tell
(07:23):
you again firsthand knowledge of a case where the bad
guys got into an attorney's mailbox. The attorney was working
on a settlement with another company. They impersonated that attorney.
Set up mail flow rules so when the opposing attorney
was emailing the attorney in question, he never saw those emails.
They were going into a folder automatically, and then the
bad guys were impersonating this attorney. They agreed to a
(07:44):
three hundred thousand dollars settlement and walked off with three
hundred grand. And yeah, I know this sounds far fetched
to people, but I trust me, you will have no
trouble going online and confirming everything I'm telling you is
happening on a regular basis. So this is one of
those low hanging fruit things, Mike. If you can just
simply lock down your email systems, make sure that everyone
(08:06):
has a strong, unique password, everyone is using multi factor authentication.
While it's not fool proof, that will go a long
long way towards preventing that kind of activity. And there
are some other things you can do as well, but
just those two simple things. And by the way, both
of those cost nothing. It'll literally costs nothing to implement
those two controls. And if you just do that, according
to both Microsoft and Google, they had previously reported if
(08:28):
you just do that, you will block about ninety nine
percent of automated attacks. Again, the bad guys are getting smarter,
they're getting trickier, and how they're approaching this, I doubt
it would block ninety nine percent today. But Microsoft did
recently put out a report based on their research over
the last year, and they list five things. If you
just do these five things, you'll basically be protected against
ninety nine percent of all attacks. So there are simple
(08:51):
well I shouldn't say simple, There are things you can do.
Many of them are very inexpensive. You just got to
do them.
Speaker 1 (08:57):
So then why is it just kind of ties back
in what you just said, and education and awareness is
very very important.
Speaker 3 (09:03):
Then super critical, Mike, and I would argue it's the
most important thing because once people are aware of the risks,
and once people are aware that there are relatively inexpensive
and mostly frictionalist fixes for a lot of this stuff,
and it fix is probably not the right word. Things
that will make you a much more difficult and exponentially
more difficult target. You know, you can reduce your risk greatly.
(09:25):
And so again, helping people understand that, yes, if you
use the same password on all your accounts and it's
easy to guess, easy to crack, easy to hack, one
of your accounts is going to get breached and then
they'll try it on anything they can find for you.
I mean, these people are smart and they're criminals, right,
they want to steal your money, you know, turn it on.
Multi factor authentication again aka two step verification or two
(09:48):
factor authentication. Very simple. I know it's painful for people toil,
they get accustomed to it, but that additional code you
have to have to log in, creates a relatively high
barrier for the bad guys, and unless if you are
being explicitly targeted, in most cases they're just going to
move on to someone who hasn't done it. So again,
it's understanding what are the risks, where should you apply
(10:09):
your time and money to defend against those risks, and
then just doing some of these simple things. Now, you know,
I always try to use this analogy. If I live
next to you and my house is all overgrown with
weeds and bushes, and you know, I don't have any
answort of outside lighting, there's no evidence of a dog
or anything, or alarm systems or anything like that. But
you have no bushes, you have a lot of outdoor lighting,
(10:32):
you have sciences so that you have an alarm system,
and you've got two big, mean German shepherds. If there's
a crime of opportunity, which house do you think they're
going to attack? Well, of course they're going to attack mine. Now,
if they know you have the Hope diamond stored in
your house, they may decide it's worth the risk to
breach all of your security systems and go after it anyway.
But so much of this stuff is they're just taking
advantage of the fact that people don't understand the risk
(10:55):
and aren't doing these simple things they can do to
protect themselves. Really, that's really the bottom line. And for
so much of this stuff.
Speaker 1 (11:02):
Well, what about cyber insurance. I've been reading some stuff
about that, is you know, is that something that small
business should think about.
Speaker 3 (11:11):
Yeah, my advice to you. I mean again, at the
end of the day, it's a business decision based on
how much risk can you tolerate? But yeah, I would
advise you to get cyber insurance. The marketplace is changing rapidly.
Your premiums have gone way up because when insurance companies
first got into this space, they were dealing with businesses
that often wouldn't even understand what they were being asked
(11:32):
to do. So they're saying, yeah, sure, we did that right,
and then next thing you know, they get breached. Now
there's a claim. So it's gotten harder to get cyber insurance.
The premiums have gone up. They usually will run you
through a fairly rigorous questionnaire where you have to say
yes like MFA. Generally, multi factor authentication is almost always
table stakes to even get cyber insurance. They only even
write a policy if you don't have that, because they
(11:53):
understand how effective it is. It's stopping these simple attacks. Yeah,
I would advise you, as a small business to at
least talk to an agent about it, you know, and
then decide cost wise, you know, does it make sense
for you as a business. You know. Now, I'm a
ten full hack guy, Mike, and I freely admit that.
So I'm going to tell you should have cyber insurance.
But I also get no business has an endless well
(12:15):
of cash, and you know, depending on what you do
and how secure you are, you may decide it's not
worth it. The two things though, that come with cyber
insurance generally speaking, that in my opinion, make it worthwhile
is a if you have a breach, you call them first.
They have experts that deal with that sort of thing,
because one of the worst things that could happen, and
I've seen this happen to businesses they have some kind
(12:36):
of breach, they don't really get to the root cause,
and then it happens again. I mean, you can easily
find documented cases where a company is hit with ransomware
multiple times by the same bad actors because they didn't
find the root cause of how they got in the
first place, and usually once the insurance teams get involved,
they have forensics experts that will help you get to
the bottom of that. And then the second thing I
(12:58):
would remind folks, even though we see a lot less
ransomware than we do the business email fraud, financial fraud
type stuff, it is potentially illegal to send ransom payments
to certain countries. So again, the insurance company is going
to have that kind of expertise to help you ununderstand,
like do I need to report this to the government.
Is it going to be a crime if I pay
the ransom to you know, a ran or whatever. So
(13:20):
you know you're getting some additional consulting and guidance in
the events that something does happen, and you know it
might be the difference in terms of the recovery cost
between staying in business and going out of business if
you have the insurance. So I definitely would recommend every
business should at least explore it and understand where it
fits into their risk appetite.
Speaker 1 (13:40):
So AI friend or foe, Well.
Speaker 3 (13:44):
That is an excellent question, and I can argue either
side of that. I will just say this, I think
AI as it's currently implemented in the marketplace, things like
chatch EPT and large language models and so forth, has
been substantially overhyped, and I I think you've now seen
a lot of the illuminary people talking about it start
to come off some of the hype around it. Now
(14:05):
I can tell you I use it pretty regularly when
you understand how it works and what it can do
for you as a business. It can really be like
rocket fuel in certain cases. Okay, like, for example, I'm
going to do a presentation on X. Give me an
outline for this presentation. My audience is going to be business,
small business people, whatever, right, and it'll give you something.
(14:28):
Now you have to understand when you do this, it
will often just make things up aka hallucinations in the business.
So I would recommend don't use it for things that
you don't already have a thorough understanding of, because then
you're going to have to vet the work anyway. But
it can be very helpful a lot of ways, and
it's already baked into a lot of stuff like advanced
antivirus tools. The food piece is the thing I'm more
(14:48):
concerned about. I don't I'm out talking to people about
this stuff all the time, okay, and I don't think
people fully understand how easy it is to create deep fakes,
you know, fake audios, fake videos, and more importantly, voice cloning.
It is absolutely doable. I've done it with two local reporters,
one from Fox nineteen and one from WCPO, where literally
(15:11):
we cloned their voice as part of an interview now
with John mattter Reese and WCPO, this is the gospel truth.
You can watch the video and see for yourself, or
he'll tell you. He calls me out and says, hey,
I'd like to do an interview on voice cloning. I said, yeah,
I think that's a great idea because I don't think
people understand how good this is and what a risk
this is today and how it's only going to get worse.
This interview is almost two years old. Now. You online
(15:33):
easily find it if you search, so I'm not exaggerating, Mike. Literally,
I looked up. I just went online and did a
search because I had not tried this myself prior to
this interview. Okay, I found a site that claimed to
do this, so I played around with it a little
bit while I was waiting for him with my own voice,
like this seems like this will work. John shows up.
It asked him to read a sentence, We record his voice,
(15:54):
We play around with it for maybe ten minutes. So
you know, we were using a free tool. First off,
it literally costs nothing. One of us had any previous
expertise or experience doing this, and within about an hour
we created a facsimile of his voice that I would
say was at least eighty to ninety percent dead on. Wow.
Now that's that's where a free tool and not even
really trying to train it, like working at it to
(16:15):
make it better. You know. Again, folks can go watch
the interview and see for themselves. You will watch me
once we're done. I type in hello, Grahama, this is John.
I need your help and hit the button and it
sounds like him. That was a year and a half ago,
with a free tool and no previous experience. You may
have seen recently these sorts of voice cloning attacks have
started to get some pressed. There was just a story
(16:36):
that came out last week. The CFO, the chief financial
officer of Ferrari, was messaged by the CEO of Ferrari
and which then led into a voice conversation where the
CEO was, you know, trying to set him up to
transfer a bunch of money. Thankfully, the CFO was kind
of wise to this concept, going back to this is
(16:56):
why education and awareness is so important. It's so important
to just be aware that this is a thing, so
you be more skeptical. Right, So he gets on the phone,
the CFO is talking to the CEO, and eventually, even
though he said, they even had the guy's Southern Italian accent,
you know, and I want to come back to how
would you get someone's voice? Eventually the guy just didn't
(17:19):
feel right, so he asked him a question that only
the CEO would know. Apparently, the CEO had recently recommended
a book to the CFO, and the CFO asked him
about that, and then the guy I couldn't answered the question,
at which point he realized he was being scammed. There's
at least two well documented scams, ones documented Forbes the
others all over the I know CNN did at expos
(17:41):
in it twenty five million dollars were stolen by convincing
someone on a zoom call to transfer money. So this,
I know this sounds far affetched to people. This is
a real thing. It's easy to do. And when people say, well,
I'm not the CEO of Ferrari, I'm not a celebrity,
how would you get my voice? My answer is always,
if I call your phone, you have a voicemail greeting, well,
(18:02):
guess what I am you in less than an hour,
and I can say anything I want to say as
you in less than an hour once I have enough
of your voice. So if your voice is out there
in any sort of form that I can capture, I'm
you if I want to be you. And as this
technology improves, you know again, this CEO CFO thing at
Ferrari ended up in a real time conversation where the
(18:23):
deep fake voice cloning was talking to the CFO more
or less real time. That's how advanced this stuff is.
And I just can't stress enough for folks. Whether it's
the you get a call in the middle of the
night from your son who's in jail and needs money,
or your CEO suddenly wants you to do a wire transfer,
you should be extremely skeptical. And I think it's really important,
especially in small companies, to start from the beginning of
(18:47):
trying to build a security culture you know, I'll tell
you know in trust. We deal with this stuff every
day for our customers and also internally, so you know
we're a little different than your average company. But like
with the City of Fort Wright, I'm constantly sharing information
about this with the staff here. We go through regular
cybersecurity awareness training. We use a fish testing product from
no before so people understand what to look for. And
(19:09):
I've tried to work very hard to create a security
culture where everyone here understands that it's okay to question everything,
And in fact, I would rather them question things. I
would rather have someone unhappy with us because we didn't
pay a bill in a timely manner because we questioned it,
then to basically have tax payer funds stolen because we
acted too hastily. And if we have time, I'll tell
(19:30):
you two real world stories right now about the City
of Fort Right. So here here's two. One is a
phishing related email attack, so and again these people are crafty.
Someone took the time to figure out who our city
clerk was, which is easy to do go to the
City of Fort Right website or use LinkedIn. They figured
out that I was the mayor, also easy to do,
(19:50):
so then they sent a spoofed email. They didn't actually
get into my mailbox because I've got every kind of protection,
you know, I'm like Fort Knox when it comes in
ten foy hat, my ten foll hat. He sent a
spoofed email that looked like it came from my email
account to the city clerk asked her how much money
was in our bank account as of that day? It
was four million dollars. Now, how'd you like to be
a criminal? And you get an email back saying, hell,
(20:12):
there's four million dollars in the bank account. You know,
they got to be thinking, Jing, I got a live
one here. So then they come back to her and say,
I'm going to need you to initiate two wire transfers,
one international wire transfer and one local wire transfer. And thankfully,
because she's smart and all my screaming about this, she
started thinking wire transfer. We don't normally do wire transfers,
(20:35):
and why in the world would the city of Fort
Wright do an international wire transfer? Could what could possibly
be the legitimate you purpose of that? Right? So thankfully
she did what we call in the industry, go out
of band. She literally stopped, picked up the phone and
called me and said Dave, what's this email from you
about wire transfers? And I said, Joyce, stop what you're doing,
(20:57):
get your scissors, cut the cable on the back of
the computer. I'll be there in a minute. And thankfully,
you know, disaster was averted because I mean, who knows
how much money they could have stolen had she not
been skeptical and been willing to question things. Right now, again,
this is a small organization. We only have fifty total employees.
Everyone knows everyone else. But I'm trying to help businesses
(21:17):
understand it needs to come from the top down. I
want you to question these kind of things. I want
you to slow roll these things. I want you to
go out of band, go through the internal channels, talk
to these people using numbers that you've previously used before,
or you're going to get scammed. So the second story,
you know, people have seen these stories in the news
about mail carriers having the master key stolen from those
(21:40):
blue boxes. What's primarily for check washing scams. We got
hit with a check washing scam. In fact, we're putting
together a press release on this now to try to
help other organizations understand the risks of this. So we
sent out a check, and through our bank, we use
something called positive pay. I also recommend every small business
ought to have positive pay turned on their accounts, and
(22:02):
you ought to work with your banker to make sure
you have all the security features available because it may
cost a little extra money. But I mean, we lost
twelve thousand dollars, that'll pay for all your positive pay
for a long time. Okay. So every day we send
a log of checks to the bank, and as those
checks try to clear the bank, they're compared to that log,
and if there's any sort of discrepancy, it sends an
(22:22):
alert back to us to confirm it. Okay, So twelve
thousand dollars check goes out somehow ends up in somewhere
in Georgia, and check washing basically they open those mailboxes,
they steal all the mail out of them, they find
the checks that are in there. I don't fully understand
how they do this, but they wash the check, literally
wash it, and then write new information on it. So
in our case, they left the payment amount the same,
(22:44):
but they changed the PAYE ran this check through a
bank and Georgia walked off with twelve thousand bucks because
because unfortunately, even though we had a process and a
system in place. When that alert notification came back, someone here,
unfortunately did not pay enough attention. I guess they didn't
check to PAYE. They just saw that the amount was
the same and approved it. And here's the clincher Mike
(23:05):
had is the way we're set up. If you don't
improve these exceptions within twenty four hours, it just stops
the check. So again, if you slow down, if you
think things over, if you're vigilant and move slow, you're
a lot less likely to have these kind of scams
happen because you can get again, you know, this doesn't
look right, I'm going to question it, and in this case,
it would have automatically blocked. Now I want to give
(23:25):
credit to Republic Bank or our bank, because once we
went to them with us, we called our insurance company
and they said, well, yeah, you know, you guys basically
were negligent in this case. We're not gonna We're not
going to pay you twelve thousand dollars because you didn't
follow your own process, which I understand and respect their
position on it. But I've been trying to give a
lot of credit to Republic Bank because they basically went
to work on this and they were able to get
(23:46):
our money back. We got all twelve thousand dollars back.
That's kind of rare in these situations, So huge kudos
to Tom Salinger and Republic Bank. If you're looking for
a bank, I encourage you to call them today. They've
been amazing to work with. But you know, those are
two real world examples of things happened here. These kinds
of things are happening to businesses every day, and again,
a lot of this with the right education and awareness,
(24:07):
with a security orient culture where people understand that it's
not just acceptable, but you are requested to question things
and slow down and move slower, and then with just
some simple technologies and processes, you will be vastly more
secure than most of your competitors out there, and the
bad guys will just move on.
Speaker 1 (24:25):
Well, Dave, thank you very much. We're going to have
to wrap this up here in a moment. One of
the things I wanted to kind of circle back on
that you said that you feel that the security of
an organization, whether it's a small business, a large business,
or whatever it is, needs to come from the top.
Speaker 3 (24:47):
It really does, because I mean, at the end of
the day, if you don't have the folks at the
top building a security orient culture telling people that this
is important. It's important to me for my business, is
important to you as an employee. It's important to our
customers and vendors and partners who are potentially going to
be scammed when their information gets stolen. It's important to society.
I mean, think about it for a second, Mike, who
(25:09):
here is not spending more time online? Who here doesn't
work online? At least somewhat entertain themselves, shop, educate. Everything
is digital now, so you know, I can make a
strong argument that by taking these kind of actions, you're
not just protecting yourself and your family and your organization,
You're helping to protect society as a whole. You know
where we're well past the place now where one of
(25:29):
these attacks just makes you lose your family photos or whatever.
So yeah, it needs to come from the top down.
You need to have everyone on board and in addition
to being willing to spend some money on tools and
processes and procedures, and to invest some effort in dealing
with some of the friction some of these tools create.
You know, if you have six locks on your door,
(25:49):
it's going to be more secure, but it's also harder
to operate, right, So you know there's there's a balance.
I understand no business has an endless well of cash,
and I also understand that you know, you can't create
so much friction, can't operate, But you need to take
a risk based approach to this, and you know that
needs to come from the top and then it needs
to be constantly reinforced and encouraged that this stuff is important.
I mean, I hate to say it, but people can
(26:11):
lose If the company goes out of business and you're
just some line worker or whatever, you may still lose
your job because of some cyber incident that perhaps you
could have helped prevent. So you know, I just I
want to Yes, it needs to come from a top down,
and I just can't encourage people enough to take this
stuff seriously because I see it almost every day. And again,
I have firsthand knowledge of people who've lost tens of
(26:33):
thousands to millions of dollars that probably could have prevented
if they would have listened to old tenfoil hat Dave
in the first place.
Speaker 1 (26:41):
Well, thank you, Dave. Dave is one of ten presenters
at Scores Confluence Workshop on September eighteenth. The workshop will
cover small business online security, legal issues, AI branding, and
much more. Go to Score forward Slash Greater Cincinnati dot
org for more information and to register. Dave. If somebody
(27:04):
listening to this wants to get a hold of you
or has some interest in, you know, engaging you and
a bigger process, how would they do that? How would
they get ahold of you?
Speaker 3 (27:15):
Well, hopefully they'll come to the Confluence event, Mike. But
outside of that, I'm pretty easy to find. You can
go to interest it dot com. You'll find me there,
and also I'm pretty easy to find on LinkedIn or Twitter.
I will say on Twitter slash x, I'm constantly sharing
this sort of information to try to get it out
there and help educate folks. So you get to follow
me on social media. I'm easy to find and I'm
(27:35):
happy to help with Again.
Speaker 1 (27:37):
Terrific, Thanks Dave, Thanks Mike. If you would like to
sign up with a mentor or would like to become
a mentor, go to score dot org and click on
the appropriate link. Please subscribe to the podcast, share the link,
and thank you very much for listening Score Greater Cincinnati's
Confluence where connections, information and inspiration come together. As a
(28:02):
date of September eighteenth of twenty four from eight thirty
am to two pm at United Way. The theme this
year is Shine Online. You can go to score dot
org slash Greater Cincinnati and be able to register for
that event. Also, you can go to that website and
(28:27):
request a mentor or sign up to be a volunteer.
Thank you for listening. Please subscribe to the podcast and
share the link. Take care
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!